Vulnerability Recap 6/3/24: Check Point, Fortinet & Okta (2024)

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Last week, major security vendors Check Point and Okta both notified customers of threats, and an old Fortinet vulnerability reared its head when researchers published a proof of concept for it. Spoofed browser upgrades download malware onto victims’ computers, and threat actors have been actively exploiting a Linux kernel vulnerability. Check your vendors’ security bulletins regularly, and make sure your team is following security news to patch issues as soon as they arise.

May 28, 2024

Check Point VPN Zero-Day Vulnerability Requires Hotfix

Type of attack: Information disclosure zero-day.

The problem: Recently discovered zero-day CVE-2024-24919 affects Check Point virtual private network (VPN) products. It’s an information disclosure vulnerability that allows hackers to access business networks using the VPN products.

After exploiting this vulnerability, a threat actor could read data on Check Point Security Gateway appliances. Conditions for a breach are connecting to the internet and enabling the gateway with Remote Access VPN or Mobile Access Software Blades.

Check Point discovered the vulnerability about a month ago, noticing a few exploit attempts on a few customers’ networks, and warned customers about it last week after determining the root cause. “The attempts we’ve seen so far… focus on remote access scenarios with old local accounts with unrecommended password-only authentication,” the security bulletin said.

The fix: Check Point provided a hotfix with instructions for users to follow when patching their Security Gateway products.

FortiSIEM Vulnerability Allows Remote Code Injection

Type of vulnerability: Remote code injection.

The problem: Some versions of Fortinet FortiSIEM allow “improper neutralization of special elements” within an OS command injection. This permits threat actors to use specific API requests to execute code remotely. The vulnerability is tracked as CVE-2024-23108 and has a CVSS severity rating of 10.0.

Fortinet patched it in February, but researchers from Horizon3AI recently published a blog with a proof of concept for the vulnerability. The PoC is available on Horizon3AI’s GitHub account.

This vulnerability affects the following versions of Fortinet FortiSIEM:

• 7.1.0 through 7.1.1
• 7.0.0 through 7.0.2
• 6.7.0 through 6.7.8
• 6.6.0 through 6.6.3
• 6.5.0 through 6.5.2
• 6.4.0 through 6.4.2

The fix: Fortinet has already patched FortiSIEM. Update to the newest software version if possible, or if you use one of the above versions, upgrade it to one not listed.

If your business needs a reliable method of locating vulnerabilities quickly, check out our list of the best vulnerability scanning tools.

Okta Customer Identity Cloud Susceptible to Attacks

Type of vulnerability: Credential stuffing attack.

The problem: Okta has warned its customers of credential stuffing attacks within the cross-origin authentication feature in Okta’s Customer Identity Cloud. Okta said it had already notified and provided an instruction email to customers who had the cross-origin authentication feature enabled on their instance.

Okta had observed endpoints supporting the feature being hit with credential stuffing, an attack that bombards applications or services with already-discovered usernames and passwords to see if any of them work.

Okta recommends reviewing the following log events:

• fcoa: Failed cross-origin authentication
• scoa: Successful cross-origin authentication
• pwd_leak: Someone attempted to login with a leaked password

The fix: Rotate credentials immediately if you’ve seen spikes in these events in your log files, regardless of whether your business has the cross-origin authentication feature enabled. Okta recommends users do the following:

• Block users from creating weak passwords.
• Require a minimum of 12 characters that don’t include parts of the user name.
• Block any passwords in the Common Password List.

Okta also suggests that users restrict all permitted origins if they have to use cross-origin authentication.

May 29, 2024

Spoofed Browser Updates Hide Malicious Files

Type of vulnerability: False browser upgrades that download malicious software.

The problem: Cybersecurity firm eSentire’s threat response unit discovered fake browser updates that delivered instances of BitRAT and Lumma Stealer malware. eSentire had also seen FakeBat malware being similarly distributed in April.

In this attack, an infected webpage with malicious JavaScript code directs users to a spoofed notice that they need to upgrade to a new browser version. When they try to upgrade, a zip file downloads onto their computer. Discord, which has lately been heavily used as a cyberattack surface, hosts the zip archive file.

The fix: This GitHub page hosts the indicators of compromise for such an attack. eSentire recommends using updated antivirus software or an endpoint detection and response (EDR) solution to prevent these attacks.

May 30, 2024

Akamai Finds Changes in RedTail Malware

Type of vulnerability: Command injection vulnerability.

The problem: Security vendor Akamai reported on a recent adjustment to the RedTail cryptomining malware, anti-research tactics that make it harder to identify in systems. RedTail is now exploiting a vulnerability in Palo Alto’s PAN-OS software: CVE-2024-3400, a command injection vulnerability caused by arbitrary file creation.

According to Akamai, RedTail malware has started using private cryptomining pools, which looks similar to tactics used by threat actor group Lazarus. RedTail targets Internet of Things devices, SSL-based virtual private networks, and devices such as Palo Alto Global Protect.

The fix: Akamai says that it should be easy to find Palo Alto devices within your IT asset inventory and they should already be patched given their sensitivity. Akamai also offers the App & API Protector, which can identify and reject any RedTail delivery attempts mentioned in the report.

CISA Warns Users of Linux Kernel Vulnerability Exploits

Type of vulnerability: Use-after-free.

The problem: The Cybersecurity and Infrastructure Security Agency (CISA) recently warned Linux users that a previously-patched use-after-free vulnerability is being actively exploited. The vulnerability resides in the kernel’s netfilter: nf_tables component. When exploited, it allows threat actors to escalate privileges locally.

The vulnerability is tracked as CVE-2024-1086. It was patched in February 2024 but is still being exploited. The hunter who found this bug, Notselwyn on GitHub, released a proof of concept for the vulnerability in March and also wrote a technical report covering it.

The National Vulnerability Database (NVD) says, “The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.”

The fix: NVD suggests upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

May 31, 2024

Secrets Within Hugging Face Spaces May Have Been Exposed

Type of vulnerability: Unauthorized access to secrets.

The problem: AI company Hugging Face recently announced that its Spaces platform was subject to unauthorized access. Spaces allows users to browse AI apps designed by other users within the community. Hugging Face suspects that a threat actor may have accessed Spaces secrets when they accessed the platform.

Hugging Face said it’s working with outside forensic specialists to investigate the unauthorized access case and review its policies and procedures in general, too. It also reported the incident to data protection authorities and law enforcement agencies. Hugging Face explained that it has completely removed org tokens and implemented a key management service for Spaces secrets.

The fix: Hugging Face revoked some tokens present in the secrets that could have been exposed. “Users whose tokens have been revoked already received an email notice,” its security notice said. “We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default.”

Read next: